Based on the samples we found we believe this group has been running a SpearPhishing campaign from the last few weeks. The files we have analyzed are PDF files that contain code to exploit CVE-2013-0640. Once the victim opens the file, the system gets infected and a lure document is displayed to the victim. Some of the PDF lures we have found are:

Some of the exploit filenames:

2013-Yilliq Noruz Bayram Merikisige Teklip.pdf

联名信.pdf

arp.pdf

Based on the lures we found it seems the same group is targeting both Tibet and Uyghur activists in the same campaign.

The Javascript code inside the PDF files is very similar to the one found in the Itaduke samples but part of the initial variables and the obfuscation has been removed from the original one.

The shellcode will create the file AcroRd32.exe in the Temp folder. That file decrypts an encrypted block using XOR operations with the key “[email protected]”.

The malicious payload will perform the following operations:

- Copy \WINDOWS\system32\wuauclt.exe to %APPDATA%\wuauclt\wuauclt.exe

- Drop a malicious DLL under %APPDATA%\wuauclt\clbcatq.dll

- Execute %APPDATA%\wuauclt\wuauclt.exe

Note that wuauclt.exe is a benign system executable. Once the system file is executed, the malicious DLL will be loaded. This technique is known as DLL search order hijacking.

The malicious DLL will be loaded when wuauclt.exe is executed. It is important to show that clbcatq.dll is not exporting all the methods that the original clbcatq.dll has. It only implements the ones that are required to run the malicious code:

Original DLL Malicious DLL

Once the malicious DLL is loaded, the malicious code will generate the following HTTP request:

The server will reply with an encrypted block of code that will be decrypted. The decrypted content is actually a DLL that exports the following functions:

GetWorkType

InfectFile

The payload will drop the following files:

\WINDOWS\system32\wbem\4BA5E980.PBK

\WINDOWS\system32\wbem\mstd32.dll

The InfectFile function will modify some code in the system library WINDOWS\system32\mswsock.dll. If we take a look at the patched DLL:

Original version

Modified version:

If we take a look at WSPStartup_0:

We can see how the malicious DLL mstd32.dll will be loaded everytime the system library mswsock.dll is loaded by a program.

The file mstd32.dll is signed using a certificate issued to “YNK JAPAN Inc. We have seen that certificate being used to sign malware dropped in several NGO attacks in the past.

Then the malicious code will perform the following HTTP request every few seconds:

The final payload is detected as Trojan.Win32.Swisynand it has a lot of functionality to monitor and steal data from the infected system.

About the Author:Jaime BlascoJaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›